It turned out the SSL cert thumbprints the NSX manager was seeing were the old ESXi host SSL certs which I changed to signed certs a couple of days back. Since then I hadn't rebooted the hosts I had simply restarted hostd and vpxa. A restart still didn't fix the issues. It did do one thing though. A restart of ESXi 6.5U1 deleted the backups I had made in /etc/vmware/ssl/backups. The entire directory had gone! So I couldn't go back to the old certs to fix the issue.

So I simply disconnected the ESXi hosts from vCenter and reconnected them. Problem solved. NSX controllers deployed without issue. vCenter had been rebooted many times but for whatever reason it still though the ESXi hosts were connected with a different thumbprint, which must have been where NSX manager got the thumbprint from. We live and learn!